A Primer on the PIM Framework


How enterprise risk management practices impact the Standard & Poor’s rating process.

How enterprise risk management practices impact the Standard & Poor’s rating process.

Fortnightly Magazine - June 2007

About a year ago, Standard & Poor’s expanded the methodology used to review and assess the enterprise risk management practices of U.S. energy firms with trading desks. The methodology, known as the PIM framework, focuses on the three aspects of policies, infrastructure, and methodology, and produces a comprehensive evaluation of a firm’s risk management. The importance of each of these aspects in a company’s risk culture, and our opinion of its risk management quality, will depend on that company’s size, complexity, and range of risk.

Strong enterprise risk management is vital to the financial health and creditworthiness of energy companies with trading desks. Energy traders take complex risks every day, so energy companies have to be able to identify risks correctly and have the right tools to measure those risks. If risk-management practices are inadequate or are poorly integrated, the rating can suffer.

Incorporating PIM into the rating process enables rating companies to understand a company’s management better. Analysts now think not just about current risks and control processes, but also about potential and emerging risks, and how those fit into the risk assessment framework.


In PIM, policies incorporate business strategy, risk tolerance, and risk authorities and disclosure. Energy companies with trading desks must have appropriate risk-management tools and policies that are not just consistent with their goals, but are also clearly articulated, well understood, and well communicated throughout the enterprise.

Key elements of that policy should include consistency and linkages between strategy and risk management, clear risk policies, and effective internal and external disclosure of the level and complexity of its risk-taking. In addition, senior management must be engaged in the process, and corporate governance must be engaged through accountability, effective board access, authority, and management reporting.

Processes must be in place to monitor risk authority limits and enforce consequences for exceeding those limits. Disclosure policies must be clear, reporting timely and accurate, and internal operations procedures such as valuation of collateral, knowledge of counterparties, risk limits, and trade reconciliation must be well-documented and well-executed.


The infrastructure aspect focuses on technology, personnel, data, and operations, and the level of firm-wide integration the risk management function has achieved. A firm’s technology need to be commensurate with its risk-management needs. Commodity traders at energy firms routinely take complex risks, so the firms need sophisticated integrated technology to comprehensively and correctly analyze those risks and their impact on the enterprise.

We assess the risk-management staff by evaluating their seniority, education, career paths, and training. We also look at whether their compensation is linked to risk-management goals, and whether the department’s budget is sufficient for its needs.

Transaction sources, market data quality and integrity, and back office staff and operational quality also are examined. We consider back office operations integral, so we assess not just procedures and controls, but the operations staff’s training, education and knowledge as well.


Measuring operational risk